A practical key recovery attack on the lightweight WG-5 stream cipher

Abstract

WG-5 is a lightweight stream cipher proposed for usage in the resource-constrained devices, e.g., passive RFID tags, industrial controllers, contactless smart cards and sensors. In this paper, a weakness called slide property of WG-5 which has not been discovered in previous works is for the first time explored and analyzed. The result shows that the probability that two related key-IV pairs of WG-5 generate the shifted keystreams can be up to 2−20, which is significantly high compared with an ideal stream cipher that generates the random keystreams. The correctness and accuracy of this theoretical probability is confirmed experimentally. Based on the slide property of WG-5, some key recovery attacks on WG-5 in the related key setting are proposed. The cryptanalytic result shows that the 80-bit secret key of WG-5 can be recovered with a time complexity of 225.615, requiring 6 related keys and 80 keystream bits for each of 224.585 chosen IVs. The experimental result validates our attack and shows that WG-5 can be broken within about 92.054 seconds on a common PC in the related key setting. These results imply that the design of WG-5 is far from optimal and needs to be strengthened to provide enough security for the lightweight constrained applications.